colibri | 9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Size

4.9MB
MD5

f32026ab859baf87e56f628b87ec52a0
SHA1

926a579598eb4364b9cd10a036a294809fd3cb16
SHA256

9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975
SHA512

69995e9225f48252f83d3b047cc665beaefc7761e6179e83165aaf21ca941829929b1cd1cdef9a9424ceeb60bf8eb54130a1472cbc55b1a2ac65a31a32278b6c
SSDEEP

49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score

10^/10

colibri dcrat build1 discovery evasion execution infostealer loader rat trojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

rc4.plain

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	5016	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	5016	schtasks.exe	82

UAC bypass 3 TTPs 45 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1220-3-0x000000001BEF0000-0x000000001C01E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1224	powershell.exe
4716	powershell.exe
3128	powershell.exe
1236	powershell.exe
3728	powershell.exe
4808	powershell.exe
2644	powershell.exe
3392	powershell.exe
2240	powershell.exe
4964	powershell.exe
876	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	System.exe

Executes dropped EXE 42 IoCs

pid	Process
2340	tmp8E78.tmp.exe
4308	tmp8E78.tmp.exe
4480	tmp8E78.tmp.exe
464	tmp8E78.tmp.exe
2664	System.exe
4880	System.exe
912	tmpECD1.tmp.exe
3160	tmpECD1.tmp.exe
3728	System.exe
2684	tmp1DB4.tmp.exe
4716	tmp1DB4.tmp.exe
4604	System.exe
1084	tmp4F92.tmp.exe
740	tmp4F92.tmp.exe
4540	System.exe
1872	System.exe
4196	System.exe
848	tmpA7A5.tmp.exe
1236	tmpA7A5.tmp.exe
3432	System.exe
4564	tmpC501.tmp.exe
2788	tmpC501.tmp.exe
2764	tmpC501.tmp.exe
4540	System.exe
1252	tmpF71D.tmp.exe
3088	tmpF71D.tmp.exe
1636	System.exe
876	tmp291A.tmp.exe
4792	tmp291A.tmp.exe
2948	System.exe
448	tmp457B.tmp.exe
2368	tmp457B.tmp.exe
1928	System.exe
2904	tmp7594.tmp.exe
4584	tmp7594.tmp.exe
2572	System.exe
828	tmpA7B0.tmp.exe
3976	tmpA7B0.tmp.exe
2040	tmpA7B0.tmp.exe
1420	System.exe
4284	tmpC440.tmp.exe
3520	tmpC440.tmp.exe

Checks whether UAC is enabled 1 TTPs 30 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 4480 set thread context of 464	4480	tmp8E78.tmp.exe	133
PID 912 set thread context of 3160	912	tmpECD1.tmp.exe	174
PID 2684 set thread context of 4716	2684	tmp1DB4.tmp.exe	182
PID 1084 set thread context of 740	1084	tmp4F92.tmp.exe	188
PID 848 set thread context of 1236	848	tmpA7A5.tmp.exe	200
PID 2788 set thread context of 2764	2788	tmpC501.tmp.exe	207
PID 1252 set thread context of 3088	1252	tmpF71D.tmp.exe	213
PID 876 set thread context of 4792	876	tmp291A.tmp.exe	219
PID 448 set thread context of 2368	448	tmp457B.tmp.exe	225
PID 2904 set thread context of 4584	2904	tmp7594.tmp.exe	231
PID 4284 set thread context of 3520	4284	tmpC440.tmp.exe	244

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Crashpad\reports\27d1bcfc3c54e0	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\Windows Defender\es-ES\e6c9b481da804f	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCX9B6E.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\Crashpad\reports\System.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfficeClickToRun.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\Windows Sidebar\sppsvc.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\Windows Sidebar\0a1fd5f707cd16	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\Windows Defender\es-ES\OfficeClickToRun.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\Windows Sidebar\RCX98BE.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\Windows Sidebar\sppsvc.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCXA286.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\ModifiableWindowsApps\RuntimeBroker.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Program Files\Crashpad\reports\System.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\bcastdvr\55b276f4edf653	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\schemas\RCX969A.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\TAPI\RuntimeBroker.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\ee2ad38f3d4382	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\schemas\fontdrvhost.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\es-ES\5b884080fd4f94	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\it-IT\RCXA71B.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\TAPI\RuntimeBroker.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\Registry.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\it-IT\ee2ad38f3d4382	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\es-ES\RCXA004.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\Globalization\ICU\Idle.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\schemas\5b884080fd4f94	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\bcastdvr\StartMenuExperienceHost.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\RCX9271.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\Registry.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\schemas\fontdrvhost.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\bcastdvr\StartMenuExperienceHost.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\Globalization\ICU\Idle.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\bcastdvr\RCX9DF0.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\TAPI\9e8d7a4ca61bd9	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\Globalization\ICU\6ccacd8608530f	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\TAPI\RCX8B49.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\es-ES\fontdrvhost.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\es-ES\fontdrvhost.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\Globalization\ICU\RCX8FE0.tmp	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File opened for modification	C:\Windows\it-IT\Registry.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
File created	C:\Windows\it-IT\Registry.exe	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA7B0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8E78.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpECD1.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC440.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC501.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA7B0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp4F92.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA7A5.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpC501.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpF71D.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp457B.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8E78.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp1DB4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7594.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp8E78.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp291A.tmp.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3580	schtasks.exe
1236	schtasks.exe
1972	schtasks.exe
1420	schtasks.exe
4592	schtasks.exe
2832	schtasks.exe
1928	schtasks.exe
536	schtasks.exe
1224	schtasks.exe
2056	schtasks.exe
5056	schtasks.exe
1328	schtasks.exe
3684	schtasks.exe
4252	schtasks.exe
1188	schtasks.exe
1804	schtasks.exe
2920	schtasks.exe
1912	schtasks.exe
3992	schtasks.exe
3864	schtasks.exe
3888	schtasks.exe
860	schtasks.exe
4284	schtasks.exe
4932	schtasks.exe
4560	schtasks.exe
4144	schtasks.exe
4996	schtasks.exe
1136	schtasks.exe
3152	schtasks.exe
2676	schtasks.exe
3968	schtasks.exe
1604	schtasks.exe
4988	schtasks.exe
1072	schtasks.exe
3176	schtasks.exe
4780	schtasks.exe
1144	schtasks.exe
2680	schtasks.exe
4016	schtasks.exe
3076	schtasks.exe
2632	schtasks.exe
4980	schtasks.exe
4504	schtasks.exe
3664	schtasks.exe
3392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
4808	powershell.exe
4808	powershell.exe
3392	powershell.exe
3392	powershell.exe
4716	powershell.exe
4716	powershell.exe
876	powershell.exe
876	powershell.exe
3128	powershell.exe
3128	powershell.exe
2240	powershell.exe
2240	powershell.exe
4964	powershell.exe
4964	powershell.exe
3728	powershell.exe
3728	powershell.exe
1224	powershell.exe
1224	powershell.exe
1236	powershell.exe
1236	powershell.exe
2644	powershell.exe
2644	powershell.exe
4716	powershell.exe
2644	powershell.exe
4964	powershell.exe
4808	powershell.exe
4808	powershell.exe
2240	powershell.exe
876	powershell.exe
3392	powershell.exe
3392	powershell.exe
3728	powershell.exe
3128	powershell.exe
1224	powershell.exe
1236	powershell.exe
2664	System.exe
4880	System.exe
3728	System.exe
4604	System.exe
4540	System.exe
1872	System.exe
4196	System.exe
3432	System.exe
4540	System.exe
1636	System.exe
2948	System.exe
1928	System.exe
2572	System.exe
1420	System.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	2664	System.exe
Token: SeDebugPrivilege	4880	System.exe
Token: SeDebugPrivilege	3728	System.exe
Token: SeDebugPrivilege	4604	System.exe
Token: SeDebugPrivilege	4540	System.exe
Token: SeDebugPrivilege	1872	System.exe
Token: SeDebugPrivilege	4196	System.exe
Token: SeDebugPrivilege	3432	System.exe
Token: SeDebugPrivilege	4540	System.exe
Token: SeDebugPrivilege	1636	System.exe
Token: SeDebugPrivilege	2948	System.exe
Token: SeDebugPrivilege	1928	System.exe
Token: SeDebugPrivilege	2572	System.exe
Token: SeDebugPrivilege	1420	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2340	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	129
PID 1220 wrote to memory of 2340	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	129
PID 1220 wrote to memory of 2340	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	129
PID 2340 wrote to memory of 4308	2340	tmp8E78.tmp.exe	131
PID 2340 wrote to memory of 4308	2340	tmp8E78.tmp.exe	131
PID 2340 wrote to memory of 4308	2340	tmp8E78.tmp.exe	131
PID 4308 wrote to memory of 4480	4308	tmp8E78.tmp.exe	132
PID 4308 wrote to memory of 4480	4308	tmp8E78.tmp.exe	132
PID 4308 wrote to memory of 4480	4308	tmp8E78.tmp.exe	132
PID 4480 wrote to memory of 464	4480	tmp8E78.tmp.exe	133
PID 4480 wrote to memory of 464	4480	tmp8E78.tmp.exe	133
PID 4480 wrote to memory of 464	4480	tmp8E78.tmp.exe	133
PID 4480 wrote to memory of 464	4480	tmp8E78.tmp.exe	133
PID 4480 wrote to memory of 464	4480	tmp8E78.tmp.exe	133
PID 4480 wrote to memory of 464	4480	tmp8E78.tmp.exe	133
PID 4480 wrote to memory of 464	4480	tmp8E78.tmp.exe	133
PID 1220 wrote to memory of 3728	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	134
PID 1220 wrote to memory of 3728	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	134
PID 1220 wrote to memory of 4808	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	135
PID 1220 wrote to memory of 4808	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	135
PID 1220 wrote to memory of 1236	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	136
PID 1220 wrote to memory of 1236	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	136
PID 1220 wrote to memory of 3128	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	137
PID 1220 wrote to memory of 3128	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	137
PID 1220 wrote to memory of 876	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	138
PID 1220 wrote to memory of 876	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	138
PID 1220 wrote to memory of 4716	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	139
PID 1220 wrote to memory of 4716	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	139
PID 1220 wrote to memory of 4964	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	140
PID 1220 wrote to memory of 4964	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	140
PID 1220 wrote to memory of 2240	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	141
PID 1220 wrote to memory of 2240	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	141
PID 1220 wrote to memory of 3392	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	143
PID 1220 wrote to memory of 3392	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	143
PID 1220 wrote to memory of 1224	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	145
PID 1220 wrote to memory of 1224	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	145
PID 1220 wrote to memory of 2644	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	146
PID 1220 wrote to memory of 2644	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	146
PID 1220 wrote to memory of 5000	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	156
PID 1220 wrote to memory of 5000	1220	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe	156
PID 5000 wrote to memory of 3636	5000	cmd.exe	159
PID 5000 wrote to memory of 3636	5000	cmd.exe	159
PID 5000 wrote to memory of 2664	5000	cmd.exe	163
PID 5000 wrote to memory of 2664	5000	cmd.exe	163
PID 2664 wrote to memory of 1384	2664	System.exe	165
PID 2664 wrote to memory of 1384	2664	System.exe	165
PID 2664 wrote to memory of 4840	2664	System.exe	166
PID 2664 wrote to memory of 4840	2664	System.exe	166
PID 1384 wrote to memory of 4880	1384	WScript.exe	169
PID 1384 wrote to memory of 4880	1384	WScript.exe	169
PID 4880 wrote to memory of 860	4880	System.exe	170
PID 4880 wrote to memory of 860	4880	System.exe	170
PID 4880 wrote to memory of 4556	4880	System.exe	171
PID 4880 wrote to memory of 4556	4880	System.exe	171
PID 4880 wrote to memory of 912	4880	System.exe	172
PID 4880 wrote to memory of 912	4880	System.exe	172
PID 4880 wrote to memory of 912	4880	System.exe	172
PID 912 wrote to memory of 3160	912	tmpECD1.tmp.exe	174
PID 912 wrote to memory of 3160	912	tmpECD1.tmp.exe	174
PID 912 wrote to memory of 3160	912	tmpECD1.tmp.exe	174
PID 912 wrote to memory of 3160	912	tmpECD1.tmp.exe	174
PID 912 wrote to memory of 3160	912	tmpECD1.tmp.exe	174
PID 912 wrote to memory of 3160	912	tmpECD1.tmp.exe	174
PID 912 wrote to memory of 3160	912	tmpECD1.tmp.exe	174

System policy modification 1 TTPs 45 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	System.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe
"C:\Users\Admin\AppData\Local\Temp\9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975N.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1220
- C:\Users\Admin\AppData\Local\Temp\tmp8E78.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8E78.tmp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\tmp8E78.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp8E78.tmp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\tmp8E78.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp8E78.tmp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Users\Admin\AppData\Local\Temp\tmp8E78.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp8E78.tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkfOo19U8s.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3636
- - C:\Program Files\Crashpad\reports\System.exe
    "C:\Program Files\Crashpad\reports\System.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2664
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf07e08-5d49-40f9-93c5-c35239c39bf2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4880
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a4d808a-18a8-4392-be31-376cc5725bed.vbs"
        6⤵
        
        PID:860
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        7⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9493fdbb-2d8a-4d6a-a79b-700f0135b2b7.vbs"
        8⤵
        
        PID:4616
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc6aad95-b172-4920-b230-f5a3934c56c3.vbs"
        10⤵
        
        PID:3744
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ed1e323-2c5b-43f5-a906-7da9f2b93e3a.vbs"
        12⤵
        
        PID:2436
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2d003bd-6655-480a-8ca6-0186b389b77f.vbs"
        14⤵
        
        PID:5012
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2e5c8f5-de00-4b16-9d5b-8437efdeb6c0.vbs"
        16⤵
        
        PID:2800
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99f7eae5-93a1-4712-ba12-6d2ccd3daf18.vbs"
        18⤵
        
        PID:4708
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f769152-9814-41f7-a5ad-a0d665cd739a.vbs"
        20⤵
        
        PID:2144
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6fbb1db-208b-4406-beb2-ce16328ea601.vbs"
        22⤵
        
        PID:4436
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38009502-d819-4e65-bdbc-a0747ca14a73.vbs"
        24⤵
        
        PID:4920
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e41e82ce-aae2-4694-9aa5-2e905ba0daa5.vbs"
        26⤵
        
        PID:1916
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ad24ca4-0e35-4aea-a842-04c73a0c708f.vbs"
        28⤵
        
        PID:2540
        
        C:\Program Files\Crashpad\reports\System.exe
        
        "C:\Program Files\Crashpad\reports\System.exe"
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d86ae837-d1f7-45bf-b7f6-6027a8cdc695.vbs"
        30⤵
        
        PID:4188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd6a5917-54d9-408e-afb5-7ce225d9feb4.vbs"
        30⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmpC440.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC440.tmp.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmpC440.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC440.tmp.exe"
        31⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35c4f682-732a-42c7-8cf7-68720392c7a9.vbs"
        28⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmpA7B0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA7B0.tmp.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmpA7B0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA7B0.tmp.exe"
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmpA7B0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA7B0.tmp.exe"
        30⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f1f8458-569f-4cf2-afc5-c4699b630fa3.vbs"
        26⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7594.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7594.tmp.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7594.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp7594.tmp.exe"
        27⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d71b0bc-da4c-48ca-b951-00b9f99d4963.vbs"
        24⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp457B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp457B.tmp.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp457B.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp457B.tmp.exe"
        25⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8a41186-c129-4684-91fa-56710fccc13b.vbs"
        22⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp291A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp291A.tmp.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp291A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp291A.tmp.exe"
        23⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6d22a20-042b-4163-bdd8-8d72b7d17422.vbs"
        20⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmpF71D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF71D.tmp.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmpF71D.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpF71D.tmp.exe"
        21⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30e5e70c-f7b0-4b9c-be46-64092a4bef52.vbs"
        18⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmpC501.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC501.tmp.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmpC501.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC501.tmp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmpC501.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpC501.tmp.exe"
        20⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21017b86-17f4-45bb-b284-03e5ec4a62c4.vbs"
        16⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmpA7A5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA7A5.tmp.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Users\Admin\AppData\Local\Temp\tmpA7A5.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpA7A5.tmp.exe"
        17⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85ccd6d2-d61a-4a47-b3b9-a131aacaef9d.vbs"
        14⤵
        
        PID:4516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2857dd9-bde4-4e7d-9179-dfa5740209d3.vbs"
        12⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf73cf7b-a8e9-4b79-8082-b31646442db4.vbs"
        10⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp4F92.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4F92.tmp.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp4F92.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp4F92.tmp.exe"
        11⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f8351ca-2ec8-4974-9324-99469df5b558.vbs"
        8⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp1DB4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1DB4.tmp.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\tmp1DB4.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp1DB4.tmp.exe"
        9⤵
        Executes dropped EXE
        
        PID:4716
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1262baf-b1d3-4430-9587-e4c7ad72be3d.vbs"
        6⤵
        
        PID:4556
      - C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmpECD1.tmp.exe"
        7⤵
        Executes dropped EXE
        
        PID:3160
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0217eb6-92a2-434a-9c78-b63d32720ba6.vbs"
      4⤵
      PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\ICU\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Globalization\ICU\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\ICU\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\SLS\2B81F1BF-356C-4FA1-90F1-7581A62C6764\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\schemas\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\schemas\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Crashpad\reports\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\reports\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Crashpad\reports\System.exe

Filesize
4.9MB

MD5
1c3edf297c5ab045037a55e77edb66ae

SHA1
34d31b44c57bdf68b53d8a4ea74d7c8a581a1dad

SHA256
caabc30800ddbfa379d5193bd31f429a5a484d003618bb5bf3c0ec72d6d26137

SHA512
32c5c26ec2080a04d2d3b475ecda920ed08d3fc6e37e2fe0ed194f8b666f6e21568f5b9cab94101b7d7b7f058e1c9cf1e5d3b97c7e300f4f93cc8237860966b3

Download Submit
C:\Program Files\Windows Defender\es-ES\OfficeClickToRun.exe

Filesize
4.9MB

MD5
2226ec604359223137bd2aa0d4860489

SHA1
1fe53ad0ab26f9bda42a7247e0f683b5e6e92a7c

SHA256
62295472a0fe140c684954eea277a70749fd184fabfcc0a01bce95ee5d0cea21

SHA512
9498fb64e46a836b6e62502afcd6bda6a22bf08d3d6125923855f68e954ad38ac1eba2f8c734aaf29e0283d71810be2907485616275ed61111a35679904b7dad

Download Submit
C:\Recovery\WindowsRE\RCXA920.tmp

Filesize
4.9MB

MD5
54288b2819dd1d9b4fbf7eab860ea00f

SHA1
ed2c2b53eb8ccdff53f2616208124b4b1fcdb11d

SHA256
8286cd8647f1c823d5d335b9b5d76b9155a7ff15db25df47c221a0c1a237e321

SHA512
b000dfa3600696481d3d69842b9460a939a1857df8c71598ac37bee43140de42d0108f6e31f2b86ce167efa549bec9e7030e6c3b50cd9869e4b8feec4b8a91b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
793B

MD5
3e8b1ace10047a08ddd03f1dfd1c4cfb

SHA1
0f69bd287620bf199d5d887729869e2352684ffd

SHA256
18f6851181e68c0b96853b8a2e87d87b2fdc3bb11eb74dd8e5b2c04249652f68

SHA512
684826bb09d3c38a3a27d8434af4ef2d3e4016f102f76c6d98f06efd361df7e989323a674007508a85d6aa20bceecb148614ad551d25e38d5920ed28f870abbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a4d808a-18a8-4392-be31-376cc5725bed.vbs

Filesize
720B

MD5
1c42d429140d55c9f48fb4640cee530a

SHA1
a19390dfe3d71203ffc0aeba9bb952bbba1779b5

SHA256
c3dafd3db63565560cab71e1f355cf3b3bab4e144263e7d983faf84586b6cf43

SHA512
35e1dd9a3f501cb816877dbc8a538a05feacb764c2b1c475fc2e1f1a663ec9317a35a8ca93e164817f1be906b90e2ce492e62ebd2c3be9009e9a6376e37db980

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ed1e323-2c5b-43f5-a906-7da9f2b93e3a.vbs

Filesize
720B

MD5
1368febbaf9de1fc7d1156ab1d305cb1

SHA1
ee03c12b26eaac191ae5e37a3a31058bfa0acb00

SHA256
5ee5b50dcc8289056118129103e8b001b9deb6966c076c489f627f7be55c9315

SHA512
a884e8ddd4a0d4fae72b7a5c6d094d14c3b171568ec3c537bc8b32cea86b49981d1941ab33162415cf65fdeb0d3e12bef03765fc7b74339eefcbcf228d0664a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9493fdbb-2d8a-4d6a-a79b-700f0135b2b7.vbs

Filesize
720B

MD5
d07b29f892c3b7d1fbca5444d1b167ee

SHA1
5ea44038a4a7a1aab204f3f00865da4a02c1a94b

SHA256
e4a3cedfaa51751167fdee71b38f59695bccebcaaf38081fbaca657a9cb7aa1f

SHA512
6a4160c6ae7d7ba95bf245051c845feadeaae6827039eac15fb534397bccda96d79fcad524c0c473c66db2258742a355ad119063f128bd45681258793883e6d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\99f7eae5-93a1-4712-ba12-6d2ccd3daf18.vbs

Filesize
720B

MD5
b92c8e57f33c5df7db57196dce0d0bf2

SHA1
9c17c5786617e7f674b6beda2cd6c9e104bbfa44

SHA256
b57852250be992435c0babebe25319aa08b81375bc0d8b5268d498a4cf36b71e

SHA512
aac8d97505e2bad2479e05dd89d24d0d0f9cd634ab63d11d8d667965d0eb93a5f09e7271749d71a4dc74d4775be350f09debff1426c268399dc07a76b93a16bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1aumsvy3.hhj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2e5c8f5-de00-4b16-9d5b-8437efdeb6c0.vbs

Filesize
720B

MD5
9f9fe8f439d6b4a45c3c1619e5eda181

SHA1
6137cb30ab2b05c8d897303d959c0dc14432a9fe

SHA256
7dbccebe826b513c7ab4a25b251cedad55ebb5914bad5c22a102cb0b1afdec74

SHA512
7e87587e47be6221c510563743e2c35ba48b30a914f20e9375f342a007a31834facc76d25183fe4c3d8cc66dd1889e43d6a5492f46cb72b92bfc8b41280c655c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbf07e08-5d49-40f9-93c5-c35239c39bf2.vbs

Filesize
720B

MD5
8f1804244d2e95c179ab7331107f4f7f

SHA1
b6ca55676678f23b68388ee2a036486d8138b029

SHA256
30301a40065a7ce086fda55074dad5beba04c25c61e7a99a78760fab4a38b15f

SHA512
6a34f7ced22e73aa7f9befb65431392cd124e6735e3b58dce1d22e9ab052973764ff25b15f7979aec9dff8179901bc3d22518e019800cfa43bf15356c16676aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc6aad95-b172-4920-b230-f5a3934c56c3.vbs

Filesize
720B

MD5
ca34ea28c7c3eb6d256f68b7c9490011

SHA1
58ede08aa5f279bdd5cdec5e5636b0eb4e5b7057

SHA256
44eaa16dab07c51f615b51bd28d1e4ecd363cfda9a193f647da9665b2f47f14b

SHA512
e0480dbdb92699c22542f0dd6fb50d7c5f00dc2d8bbc2835c61b618d653c3e0b2b13a5c29b9a694706fe6cf18fe80dd5b5b7625d7b52f4b47bea9128edf862c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2d003bd-6655-480a-8ca6-0186b389b77f.vbs

Filesize
720B

MD5
af3bcd842ceeaffb9a8ce9442feda6a5

SHA1
8032979454ede05c6a9b75494b3f5e4f3bfb75c6

SHA256
41e8a9974cad2b66e5fb939323e4f26f7a87e3b63e8fe4a63f489afbebcaeffb

SHA512
6b75575d068fac5e7d8798c4a8190256fea5cdb48904cbe32cc3d24b8537788319b16a154c42980a13c65924195fa72528102dcbf8706dbc8fc7c55fb05122fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0217eb6-92a2-434a-9c78-b63d32720ba6.vbs

Filesize
496B

MD5
c0d8eb1ea46a8b28d5524e38c623c057

SHA1
4ceb9b4315591fe168608ab9b462db7b2890fbbe

SHA256
caac5af590235a738bb7a2eb7ddbc6489dfaa4ea888508e9d155a9c035c93ba9

SHA512
0ac04fb8c77cd098d1d6cb3742b78fbc3e2f040eb936302eedbad739a40095758d758ebea508ec9afc8c3780b23fb5bb5a6423ca5abf263517f9e4e41db233fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkfOo19U8s.bat

Filesize
209B

MD5
887239f1bd30c33f8b6e7bc9d8b9fbdc

SHA1
9d86d55c5d3e4765fb7beb36a8e646a6f4e3eced

SHA256
178dd08bbec5d031d27a21f860e213c65e32eea7d2c389b369f8ebe52f181964

SHA512
7a2979c9a38653177c209f341eab631a6a838022072972ae5dd106a108f9413953c9b8cb3efba866713ff520dad00e4442d7da81bb2da77098c574f61618e411

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E78.tmp.exe

Filesize
75KB

MD5
e0a68b98992c1699876f818a22b5b907

SHA1
d41e8ad8ba51217eb0340f8f69629ccb474484d0

SHA256
2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

SHA512
856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

Download Submit
C:\Users\Admin\dllhost.exe

Filesize
4.9MB

MD5
f32026ab859baf87e56f628b87ec52a0

SHA1
926a579598eb4364b9cd10a036a294809fd3cb16

SHA256
9cf3593e9d3fbfe75dfc972cc38287ffffb1a7f5bc6f73ef0fb0d7232554c975

SHA512
69995e9225f48252f83d3b047cc665beaefc7761e6179e83165aaf21ca941829929b1cd1cdef9a9424ceeb60bf8eb54130a1472cbc55b1a2ac65a31a32278b6c

Download Submit
C:\Windows\TAPI\RuntimeBroker.exe

Filesize
4.9MB

MD5
09717c518c2302c2c42cbfa36f01b0dd

SHA1
3ffe48a7c7bdad17934bea931490f09dd8fa4e83

SHA256
6f6210f02c4ac0ec919151a36ea433aed158f403e0e643956d9475339f1dfe45

SHA512
83ee814658df53ca0fd4a981597e7c4c91274878216993fc3553ecca2261085fda3a1ffcbfefd545eaecaa861c739f5031819daf99e5c74e190544e85ee71754

Download Submit
memory/464-80-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1220-18-0x000000001C080000-0x000000001C08C000-memory.dmp

Filesize
48KB

Download
memory/1220-1-0x0000000000BF0000-0x00000000010E4000-memory.dmp

Filesize
5.0MB

Download
memory/1220-4-0x0000000001980000-0x000000000199C000-memory.dmp

Filesize
112KB

Download
memory/1220-163-0x00007FFAE2A10000-0x00007FFAE34D1000-memory.dmp

Filesize
10.8MB

Download
memory/1220-177-0x00007FFAE2A10000-0x00007FFAE34D1000-memory.dmp

Filesize
10.8MB

Download
memory/1220-12-0x000000001CBE0000-0x000000001D108000-memory.dmp

Filesize
5.2MB

Download
memory/1220-0-0x00007FFAE2A13000-0x00007FFAE2A15000-memory.dmp

Filesize
8KB

Download
memory/1220-13-0x000000001C030000-0x000000001C03A000-memory.dmp

Filesize
40KB

Download
memory/1220-14-0x000000001C040000-0x000000001C04E000-memory.dmp

Filesize
56KB

Download
memory/1220-16-0x000000001C060000-0x000000001C068000-memory.dmp

Filesize
32KB

Download
memory/1220-17-0x000000001C070000-0x000000001C078000-memory.dmp

Filesize
32KB

Download
memory/1220-8-0x0000000001E60000-0x0000000001E76000-memory.dmp

Filesize
88KB

Download
memory/1220-15-0x000000001C050000-0x000000001C05E000-memory.dmp

Filesize
56KB

Download
memory/1220-148-0x00007FFAE2A13000-0x00007FFAE2A15000-memory.dmp

Filesize
8KB

Download
memory/1220-2-0x00007FFAE2A10000-0x00007FFAE34D1000-memory.dmp

Filesize
10.8MB

Download
memory/1220-5-0x0000000001E90000-0x0000000001EE0000-memory.dmp

Filesize
320KB

Download
memory/1220-6-0x0000000001E40000-0x0000000001E48000-memory.dmp

Filesize
32KB

Download
memory/1220-7-0x0000000001E50000-0x0000000001E60000-memory.dmp

Filesize
64KB

Download
memory/1220-11-0x000000001C020000-0x000000001C032000-memory.dmp

Filesize
72KB

Download
memory/1220-3-0x000000001BEF0000-0x000000001C01E000-memory.dmp

Filesize
1.2MB

Download
memory/1220-10-0x000000001BED0000-0x000000001BEDA000-memory.dmp

Filesize
40KB

Download
memory/1220-9-0x0000000001E80000-0x0000000001E90000-memory.dmp

Filesize
64KB

Download
memory/2664-301-0x0000000000E10000-0x0000000001304000-memory.dmp

Filesize
5.0MB

Download
memory/2664-302-0x000000001C0C0000-0x000000001C0D2000-memory.dmp

Filesize
72KB

Download
memory/3728-338-0x0000000001A40000-0x0000000001A52000-memory.dmp

Filesize
72KB

Download
memory/4604-362-0x000000001B580000-0x000000001B592000-memory.dmp

Filesize
72KB

Download
memory/4808-196-0x000001DFF54A0000-0x000001DFF54C2000-memory.dmp

Filesize
136KB

Download